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We analyse the problem of solving Boolean equation systems through the use of structure graphs. 
The latter are obtained through an elegant set of Plotkin-style deduction rules. Our main con- 
tribution is that we show that equation systems with bisimilar structure graphs have the same 
solution. We show that our work conservatively extends earlier work, conducted by Keiren and 
Willemse, in which dependency graphs were used to analyse a subclass of Boolean equation sys- 
tems, viz., equation systems in standard recursive form. We illustrate our approach by a small 
example, demonstrating the effect of simplifying an equation system through minimisation of its 
structure graph. 
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1. INTRODUCTION 

A Boolean equation system [Larsen 1993; Mader 1997] — equation system for short 
- is a sequence of fixed-point equations, in which all equations range over the 
Boolean lattice. The interest in equation systems has both practical and theoretical 
origins. 

Equation systems have been used as a uniform framework for solving traditional 
verification problems such as the celebrated model checking problem [Mader 1997] 
and a variety of behavioural equivalence checking problems, see [Mateescu 2003; 
Chen et al. 2007]; this has led to effective tooling, see e.g. [Garavel et al. 2007; 
Groote et al. 2009]. The size of the resulting equation system is dependent on 
the input and the verification problem: for instance, the global //-calculus model 
checking problem L \= cf>, where L is a state space and <p a formula can be made to 
yield equation systems E L (0) of size 0(\L\ ■ \<p\), where |L| is the size of the state 
space and \(f>\ the size of the modal formula. As a result, the encoding to equation 
systems suffers from a phenomenon akin to the state explosion problem. 

From a theoretical stance, the problem of solving an equation system is intrigu- 
ing: it is in NP n co-NP, see, e.g. [Mader 1997]. In fact, the problem of solving an 
equation system is equivalent to the problem of computing the winner in a Parity 
Game [Ziclonka 1998]. The latter has been shown to be in UP n co-UP, see [Jur- 
dzihski 1998]. This makes the problem of solving an equation system a favourable 
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candidate for finding a polynomial time algorithm, if it exists. Currently, the al- 
gorithm with the best worst-case time complexity for solving Parity Games, and 
thereby equation systems, is the bigstep algorithm [Schewe 2007]. This algorithm 
has run-time complexity 0{n ■ m d ^) 1 where n corresponds to the number of vertices, 
m the number of edges and d the number of priorities in the Parity Game (or equiv- 
alently, the number of equations, the cumulative size of the right-hand sides and 
the number of fixed-point sign alternations in an equation system, respectively). 

The run-time complexity of the algorithms for solving equation systems provides 
a practical motivation for investigating methods for efficiently reducing the size of 
equation systems. In the absence of notions such as a behaviour of an equation sys- 
tem, an unorthodox strategy in this setting is the use of bisimulation minimisation 
techniques. Nevertheless, recent work [Keiren and Willemse 2009] demonstrates 
that such minimisations are practically cost-effective: they yield massive reduc- 
tions of the size of equation systems, they do not come with memory penalties, and 
the time required for solving the original equation system significantly exceeds the 
time required for minimisation and subsequent solving of the minimised equation 
system. 

In ibid., the minimisations are only obtained for a strict subclass of equation 
systems, viz., equation systems in standard recursive form (SRF). The minimisa- 
tion technique relies on a bisimulation minimisation for a variation of dependency 
graphs [Mader 1997; Keinanen 2006] underlying the equation systems in SRF. Such 
graphs basically reflect the (possibly mutual) dependencies of the equations in an 
equation system in SRF. 

From a practical viewpoint, the class of equation systems in SRF does not pose 
any limitations to the applicability of the method: every equation system can be 
brought into SRF without changing the solution to the proposition variables of 
the original equation system, and the transformation comes at the cost of a blow- 
up in size. Its effects on the minimising capabilities of bisimulation, however, are 
unknown, leading to the first question: 

1. Let £/ denote the equation system £ minimised with respect to bisimulation 
and let SRF(£ ) denote the equation system £ brought into SRF. The size of £ is 
denoted by \£\. Does the following inequality hold for all L and (f>: 

|E» /±± |>|SRF(E^)) /±± | 

Furthermore, it is well-known that the modal //-calculus is preserved under bisimu- 
lation minimisation of the behavioural state space. However, it is unknown whether 
state space minimisation and minimisation of equation systems encoding a model 
checking problem are comparable. This leads to the second question: 

2. Let L/^ denote the labelled transition system L minimised with respect to 
bisimulation. Docs the following inequality hold for all (p: 

|E^(0)|^|E L («A) /±± | 

In this paper, we answer both questions positively. In addition, for both ques- 
tions we provide examples in which the inequality is in fact strict. For the second 
question, our example even illustrates that the bisimulation reduction of equation 
systems can be arbitrarily larger than the reduction of state spaces. 
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The main problem in obtaining our results is that it is hard to elegantly capture 
the structure of an equation system, without resulting in a parse-tree of the equa- 
tion system. As a matter of fact, bisimilarity is required to reflect associativity 
and commutativity of Boolean operators such as A and V in order to obtain our 
aforementioned second result. In addition, the nesting levels of Boolean operators 
in equation systems complicate a straightforward definition of bisimilarity for such 
general equation systems. We solve these issues by using a set of deduction rules 
in Plotkin style [Plotkin 2004] to map the equation systems onto structure graphs. 
The latter generalise dependency graphs by dropping the requirement that each 
vertex necessarily represents a proposition variable occurring at the left-hand side 
of some equation and adding facilities for reasoning about Boolean constants true 
and false, and unbound variables. 

Related Work. This paper extends and improves upon preliminary work pre- 
sented in [Reniers and Willemse 2010]. 

Various types of graphs for equation systems have appeared in the literature. 
In [Madcr 1997], Madcr considers dependency graphs consisting of vertices repre- 
senting equations and edges representing the fact that one equation depends on 
the value of another equation. The structure of the right-hand sides of the equa- 
tions can in no sense be captured by these graphs. Keinanen [Keinanen 2006] 
extends the dependency graphs of Mader by decorating the vertices with at most 
one of the Boolean operators A and V, and, in addition, a natural number that 
abstractly represents the fixed-point sign of the equation. However, the depen- 
dency graphs of ibid., only allow for capturing equation systems in SRF. Keiren 
and Willemse [Keiren and Willemse 2009] use these dependency graphs to investi- 
gate two notions of bisimulation, viz., strong bisimulation, and a weakened variation 
thereof, called idempotence-identifying bisimulation, and their theoretical and prac- 
tical use for minimising equation systems. 

The dependency graphs of [Keinanen 2006; Keiren and Willemse 2009], in turn, 
are closely related to Parity Games [Ziclonka 1998], in which players aim to win 
an infinite game. It has been shown that the latter problem is equivalent to solv- 
ing an equation system. Simulation relations for Parity Games have been studied 
in, among others [Fritz and Wilke 2006]. Finally, we mention the framework of 
Switching Graphs [Groote and Ploeger 2009], which have two kinds of edges: or- 
dinary edges and switches, which can be set to one of two destinations. Switching 
Graphs are more general than dependency graphs, but are still inadequate for di- 
rectly capturing the structure of the entire class of equation systems. Note that 
in this setting, the v-parity loop problem is equivalent to the problem of solving 
Boolean equation systems. 

Outline. For completeness, in Section 2, we briefly describe the formal settings, 
illustrating the model checking problem and how this problem can be translated 
to the problem of solving an equation system. Section 3 subsequently introduces 
structure graphs and the deduction rules for generating these from an equation 
system. Our main results are presented in Sections 4-6. An application of our 
theory can be found in Section 7. Section 8 summarises our results and outlines 
future work. 
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2. PRELIMINARIES 

Throughout this section, we assume the existence of two sufficiently large, disjoint, 
countable sets of proposition variables X and X. 

2.1 The Modal //-Calculus 

Labelled transition systems provide a formal, semantical model for the behaviour 
of a reactive system. While, in this paper, we are mostly concerned with Boolean 
equation systems, our work is motivated by the model checking problem, i.e., the 
problem of deciding whether a given behavioural specification satisfies a temporal or 
modal formula. For this reason, we first repeat some basic results from the latter 
setting and illustrate its connection to the problem of solving Boolean equation 
systems. 

Definition 2.1. A labelled transition system is a three-tuple L = (S,Ac£, — >), 
consisting of a finite, non-empty set of states S , a finite, non-empty set of actions 
Act and a transition relation — >C S x Act x S . 

We visualise labelled transition systems by directed, edge-labelled graphs. In line 
with this graphical notation, we write s A s' iff (s,a, s') G— >. The de facto be- 
havioural equivalence relation for labelled transition systems is strong bisimilarity, 
see [Park 1981]. 

Definition 2.2. Let L = (S, Act, — >■) be a labelled transition system. Asymmetric 
relation R C S x S is a strong bisimulation if for all (s, s') G R 

Va G Act, t G S : s A t => 3t' G S : s' A t' A {t, t') G R 

States s G S , s' G S' are bisimilar iff there is a bisimulation relation R that relates 
states s and s'; 

The propositional modal n-calculus, see [Kozen 1983] is a highly-expressive lan- 
guage for analysing behaviours that are defined through a labelled transition sys- 
tem. We refrain from going into details, but solely present its grammar and seman- 
tics below. For an accessible contemporary treatment of the modal //-calculus, we 
refer to [Bradfield and Stirling 2001]. 

Definition 2.3. Let Act be a finite set of actions. The set of modal //-calculus for- 
mulae is defined through the following grammar, which is given directly in positive 
form: 

<f>,iff ::= true | false | X | A iff \ V iff \ [A]<f> | (A>0 | vX.(p \ 

where X G X is a proposition variable; A C Act is a set of actions; // is a least fixed 
point sign and v is a greatest fixed point sign. 

Note that our use of generalised modal operators [A](p and {A)(p is merely for rea- 
sons of convenience, and has no implications for the presented theory in this paper. 
Henceforth, we write [a]<p instead of [{fl}]0 and \a](p instead of [Act \ {a}]cp. 

In a formula crX.<p, each occurrence of the variable X is bound. An occurrence 
of X in a formula (§> is bound if it is bound in any subformula of (§>. The set of 
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bound proposition variables in (p is denoted bnd (<p); the set of proposition variables 
that syntactically occur in (f> is denoted occ(0). Formula <p is said to be closed iff 
occ(</>) C bnd(0). We only consider //-calculus formulae <p that are well-formed, i.e.: 

(1) there are no two distinct subformulac of (f> that bind the same proposition 
variable; 

(2) for every proposition variable X £ bnd(0), no subformula o-X.ifr occurs in (p. 

The well-formedness requirement is a technicality and does not incur a loss of gen- 
erality of the theory. 

Modal //-calculus formulae <p are interpreted in the context of a labelled transition 
system and an environment 6 : X — > 2 s that assigns sets of states to proposition 
variables. We write 8[X := S'} to represent the environment in which X receives the 
value S', and all other proposition variables have values that coincide with those 
given by 8. 

Definition 2.4. Let L — {S,Act,^) be a labelled transition system and let 6 : 
X — > 2 s be a proposition environment. The semantics of a //-calculus formula (f> is 
defined inductively as follows: 

[true]6> = S 
[false]© = 

{xje = e(x) 

[0A«A]e = W^n We 

[0v«A]e = 

[\A]<f>]0 = {s e S | Vi' € S : Va G A : Aj' => s' G 

[(A)0]0 = {j G 5 | 3s' G 5 : 3a G A : sA/As'e |0]0} 

[vX.0] =U{S'CS|S'Cifl[X:=S']} 

=n{5'a|[#[i:=s']a'} 

The (/io&aZ model checking problem, denoted L,6 \= <p, is defined as the question 
whether for all states s 6 X of a given labelled transition system L — (S, Act, — >), 
we have s G \<p\9, for given formula (p and environment 8. The local model checking 
problem, denoted L, s, 8 \= <p, is the problem whether s G \(f\8 for a given state 
s G 5. Often, one is only interested in closed formulae: formulae in which no 
proposition variable occurs that is not bound by a surrounding fixed point sign. 
Small examples of typical model checking problems can be found in the remainder 
of this paper. 

2.2 Boolean Equation Systems 

A Boolean equation system is a finite sequence of least and greatest fixed point 
equations, where each right-hand side of an equation is a proposition formula. For 
an excellent, in-depth account on Boolean equation systems, we refer to [Mader 
1997]. 

Definition 2.5. A Boolean equation system (BES) £ is defined by the following 
grammar: 

£ ::= e\(vX = f)£ \ (jjX = f) £ 
f,g ::= true | false | X \fAg \fVg 
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where e is the empty BES; X G X is a proposition variable; and f,g are proposition 
formulae. We write cr to denote an arbitrary fixed point sign /j. or v. 

We only consider equation systems that are well-formed, i.e., equation systems £ , 
in which a proposition variable X occurs at the left-hand side in at most a single 
equation in £. 

In line with the notions of bound and occurring proposition variables for yu- 
calculus formulae, we introduce analogue notions for equation systems. Let £ be 
an arbitrary equation system. The set of bound proposition variables of £, denoted 
bnd(£), is the set of variables occurring at the left-hand side of the equations in £ . 
The set of occurring proposition variables, denoted occ(£), is the set of variables 
occurring at the right-hand side of some equation in £ . 

An equation system £ is said to be closed whenever occ(£) C bnd(£). Intuitively, 
a (closed) equation system uniquely assigns truth values to its bound proposition 
variables, provided that every bound variable occurs only at the left-hand side of a 
single equation in an equation system. An equation system is said to be in simple 
form if none of the right-hand sides of the equations that occur in the equation 
system contain both A- and V-operators. 

Proposition variables occurring in a proposition formula / are collected in the 
set occ(/). The rank of a proposition variable X 6 bnd(£), notation rankf(X), is 
defined as follows: 



Informally, the rank of a variable X is the i-th block of like-signed equations, con- 
taining X's defining equation, counting from right-to-left and starting at if the 
last equation is a greatest fixed point sign, and 1 otherwise. 

Formally, proposition formulae are interpreted in a context of an environment 
r\:X — > B. For an arbitrary environment rj, we write rj[X := b] for the environment 
rj in which the proposition variable X has Boolean value b and all other proposition 
variables X 1 have value ij{X'). The ordering C on environments is defined as r\ C rj 
iff t](X) implies rj (X) for all X. For reading ease, we do not formally distinguish 
between a semantic Boolean value and its representation by true and false; likewise, 
for the operands A and V. 

Definition 2.6. Let t]:X — > B be an environment. The interpretation \f\rj maps 
a proposition formula / to true or false: 



rank (frF=/)f (X) = 



rank £ (X) if X ^ Y 
blocko-(£) otherwise 



where blocks (£) is defined as: 




[true]?7 

\false\n 



ri(X) 



false 



true 



I/A^=[/]>7AfeJ/7 
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The solution of a BES, given an environment 77, is inductively denned as follows: 



A solution to an equation system verifies every equation, in the sense that the 
value at the left-hand side is logically equivalent to the value at the right-hand 
side of the equation. At the same time, the fixed-point signs of left-most equations 
outweigh the fixed-point signs of those equations that follow, i.e., the fixed-point 
signs of left-most equations are more important. The latter phenomenon is a result 
of the nested recursion for evaluating the proposition / of the left-most equation 
(crX = /), assuming an extremal value for X. As a consequence, the solution is 
order-sensitive: the solution to (jj.X = Y) (vY = X), yielding all false, differs from 
the solution to (vY = X) ijiX = Y), yielding all true. It is exactly this tree- like 
recursive definition of a solution that makes it intricately complex. 

Closed equation systems enjoy the property that the solution to the equation 
system is independent of the environment in which it is defined, i.e., for all envi- 
ronments 77,77', we have = [£]t7'(X) for all X e bnd(£). For this reason, we 
henceforth refrain from writing the environment explicitly in all our considerations 
dealing with closed equation systems, i.e., we write [£], and instead of the 
more verbose \£\n and [£]f7(X). 

The following lemma relates the semantics for open equation systems to that of 
closed equation systems. We write £{X := b], whereX £ bnd(£) and b G {true, false} 
is a constant, to denote the equation system in which each syntactic occurrence of 
X is replaced by b. 

Lemma 2.7. Let £ be an equation system, and let 77 be an arbitrary environment. 
Assume X £ bnd(£) is a proposition variable, and let b be such that rj(X) = p?]. 



Proof. We show this by induction on the size of £. The base case for £ = e 
follows immediately. As our induction hypothesis, we take 



Assume our induction hypothesis holds for £, and let 77 and b be such that [fe] = 
rj(X). Consider the equation system (vY = /) £, and assume X £ bnd((vF = /) £). 
Using the semantics of equation systems, we reason as follows: 



\{vY = f)£\r, 

l£MY:=lfM£MY:=twe})] 
\£[X := b]}n[Y := jf\([£[X := b]MY := true])] 
=* [£[X := b]UY := \f[X := b]]([£[X := b\UY := true])] 
U(vY = f) £) [X := b}jrj 



where at i, we have used that \f\i] — \f[X := b]]jj for p?] = r/(X). The case for 
[jiY = f) £ follows the exact same line of reasoning and is therefore omitted. □ 




Then [Sjr, = \£[X := b}Jrj. 




(IH) 
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Finally, we introduce some generic shorthand notation. The operators [~~| and 
jj are used as shorthands for nested applications of A and V. Formally, these are 
defined as follows. Let < be a total order on X U {true, false}. Assuming that < 
is lifted to a total ordering on formulae, we define for formula / <-smaller than all 
formulae in a finite set F: 

□0 = false |_|{/} = /v/ U(tn u ^ = / V (L> 



Let X = f be a non-fixed point equation, where / is a proposition formula and 
X is a proposition variable. Assuming that X is < -smaller than all left-hand side 
variables in the equations in a finite set of non-fixed point equations E, we define: 

cr{X = f} = (crX = f) ct({X = f}uE) = (<tX = f)aE 

Note the non-standard duplication of formulae in case the operators [~~| and |J are 
applied to singleton sets. While this has no semantic impact, the reasons for the 
duplication of the least formula will become apparent in the next section. 

2.3 Boolean Equation Systems for Model Checking 

An obvious strategy for solving a typical model checking problem is through the use 
of Tarski's approximation schemes for computing the solution to the fixed points 
of monotone operators in a complete lattice, see e.g. [Tarski 1955]. More advanced 
techniques employ intermediate formalisms such as Boolean equation systems for 
solving the verification problem. 

Below, we provide the translation of the model checking problem to the problem 
of solving a Boolean equation system. The transformer E reduces the global model 
checking problem L, r/ |= (f> to the problem of solving an equation system. 

Definition 2.8. Assume L—(S, Act, — »•) is a labelled transition system. Let (p be 
an arbitrary modal //-calculus formula over Act. Suppose that for every proposition 
variable X £ occ(0) U bnd(0), we have a set of fresh proposition variables {X s \ s £ 
S}CX. 

E L {b) = e 

E*(X) 

E L (/ A g) =E L {f)E L {g) 
E L (fVg) =£ L {f)E L {g) 
E\[A]f) = E L (f) 
E L ({A)f) = E L (f) 

E L {<rX. f) = (o-{(X s = RHS,(/)) \s€S}) E L (f) 



RHS. S (£) = b 

RHS. S (X) = X s 

RHS. S (/A#) = RHSj(/) A RHS s (g) 

RHS S (/Vg) = RHS,(/) V RHS S (#) 

RHS S ([A]/) = n{RHS,(/) \a£A,s^t} 

RHS S «A)/) = U{RHS,(/) \a£A,s^t} 

RHS,(trX /) - X s 
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Observe that the definition of E provided here coincides (semantically) with the 
definition given in [Mader 1997] for modal //-calculus formulae <p; the only devia- 
tion is a syntactic one, ensuring that the [_] and (_) modalities are mapped onto 
proposition formulae with A, and V as their main logical connectives in case there 
is a non-empty set of emanating transitions. 

The relation between the original local model checking problem and the problem 
of solving a Boolean equation system is stated by the theorem below. 

Theorem 2.9 [Mader 1997]. Assume L = (S,Act,-t) is a labelled transition 
system. Let crX.f be an arbitrary modal \x-calculus formula, and let 8 be an arbitrary 
environment. Then: 



The example below illustrates the above translation and theorem. 

Example 2.10. Consider the labelled transition system (depicted below), mod- 
elling mutual exclusion between two readers and a single writer. 



Reading is started using an action r s and action r e indicates its termination. Like- 
wise for writing. The verification problem vX./jY. (r s )X V (r^)Y, modelling that on 
some path, a reader can infinitely often start reading, translates to the following 
equation system using the translation E: 



(vX S0 = Y so ) (vX sl = Y S1 ) (vX S2 = Y S2 ) (vX S3 = Y S3 ) 
(MY* = {*n VX„)V(F, S VF I3 )) 

(jiY n =(x, 2 vi !2 )v(^vg) 

(jiY S2 = false V(7 S1 V Y S1 )) 
frY n = false V(y so V7 S0 )) 



Observe that, like the original /i-calculus formula, which has mutual dependencies 
between X and Y, the resulting equation system has mutual dependencies between 
the indexed X and Y variables. Solving the resulting equation system leads to true 
for all bound variables; X Sj = true, for arbitrary state s,-, implies that the property 
holds in state s,-. Furthermore, note that the right-hand sides of the resulting 
equation system can be rewritten using standard rules of logic, removing, e.g., all 
occurrences of false. 

3. STRUCTURE GRAPHS FOR BOOLEAN EQUATION SYSTEMS 

A large part of the complexity of equation systems is attributed to the mutual 
dependencies between the equations. These intricate dependencies are neatly cap- 
tured by structure graphs. Another issue is how to deal with variables that are 
not defined in the equation system but are used in proposition formulae. We first 
introduce structure graphs, and define the well-known notion of bisimilarity on 
those. In Section 3.1, we define how a structure graph can be obtained from a 
formula in the context of an equation system. In Section 3.2, we define how an 



L,s,6 h o-X.f iff ({E L (o-X.f)](AY, G X. t € 0(Y))){X S ) 
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equation system can be associated to a structure graph assuming that it satisfies 
some well-formedness constraints. 

Definition 3.1. Given a set of proposition variables X. A structure graph over 
X is a vertex- labelled graph Q = (T, t, — >•, d, r, /•), where: 

— T is a finite set of vertices; 
— t G T is the initial vertex; 

>C T x T is a dependency relation; 

— d.T i ^ {A, Y, T, ±} is a vertex decoration mapping; 
— r:T i— ► IV is a vertex ranking mapping; 
— /• :T i-> A" is a free variable mapping. 

A structure graph allows for capturing the dependencies between bound variables 
and (sub)formulae occurring in the equations of such bound variables. Intuitively, 
the decoration mapping d reflects whether the top symbol of a proposition formula 
is true (represented by T), false (represented by _L), a conjunction (represented by 
A), or a disjunction (represented by T). The vertex ranking mapping r indicates the 
rank of a vertex. The free variable mapping indicates whether a vertex represents 
a free variable. Note that each vertex can have at most one rank, at most one 
decoration ★ G {A, Y,T, _L}, and at most one free variable /~x- We sometimes 
write t to refer to a structure graph (T, £,—>■, d, r, f), where t is in fact the root of 
the structure graph. One can easily define bisimilarity on structure graphs. 

Definition 3.2. Let Q = (T, t, d, r, /) and Q' = (T', t', ->•', d', r' , /■') be struc- 
ture graphs. A relation R C T x T is a bisimulation relation if for all (u, u') G R 

—d{u) = d'(u'), r{u) = r'(u'), and / (u) =/' («'); 

— for all v G T, if u — >• v, then u' — >' v' for some v' G T such that (v, v') G R; 
— for all v' G T', if u' — >•' v', then m — > v for some v G T such that (v, v') G 

Two vertices u and «' are bisimilar, notation u j± u' if there exists a bisimulation 
relation R such that (m, u') G 

3.1 Structured Operational Semantics for equation systems 

Next, we define structure graphs for arbitrary equation systems £ and proposition 
formulae t. We use Plotkin-style Structural Operational Semantics [Plotkin 2004] 
to associate a structure graph with a formula / in the context of a equation system 
£, notation (/, £). The deduction rules define a relation _ — >• _ and predicates _ rh n 
(for n G IV), _ /• X (for X G A"), _T, _ _L, _A, and _T. In the deduction rules also 
negative premises are used, see [Mousavi et al. 2005] for an overview. 

The notations used in the deduction rules are slightly different from those used 
in the structure graphs. The predicate t /• X represents /• (f) = X, the predicate 
t rh n represents r(t) — n, for ★ G {A, T, T, !_}, f* represents d{t) = The notation 
t tf\ represents -<(t rh n) for all n G IV. 

First, as we are dealing with possibly open equation systems, free variables are 
labelled as such: 
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Xg bnc!(£) 
(1) 

(x,£) 

In addition, vertices representing bound proposition variables are labelled by a 
natural number representing the rank of the variable in the equation system: 

X e bnc!(£) 

(2) 

(X,£) rh rank £ (X) 

Note that this deduction rules will not allow the derivation of a rank for a propo- 
sition variable that is not bound by the equation system. 

In Boolean equation systems, conjunction and disjunction are binary operators. 
A question that needs to be answered is "How to capture this structure in the 
structure graph?" One way of doing so would be to precisely reflect the structure 
of the proposition formula. For a formula of the form X A (Y A Z) in the context of 
an empty equation system this results in the first structure graph depicted below: 

(X A (Y A Z), e) A > (Y A Z, e) a ► (Z, e)/Z 



(X,6)/Z (Ye) /Y 

((Y A X) A Z, e) a > (Z, e) / Z 



(y A X,e) a — — — ► (X, e) / X 



(Ye) ^Y 

A drawback of this solution is that, in general, the logical equivalence between 
X A (y A Z) and (FAX) AZ (see the second structure graph above) is not reflected 
by bisimilarity. Retaining this logical equivalence (and hence associativity and 
commutativity) of both conjunction and disjunction is desirable, and, in fact, one 
of our major goals. 

The logical connectives for conjunction (A) and disjunction (V) may occur nested 
in a formula. This is solved by reflecting a change in leading operator in the 
structure graph. So the anticipated structure of the structure graph for X A (Y A 
(ZVX)), where, again, we assume that the equation system contains no equations, 
is: 
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(X A (Y A (Z V X)), e) a > (Z V X, e) t >- (Z, e) 



This can be elegantly achieved by means of the following deduction rules for the 
decorations and the dependency transition relation — y. 

(3) (4) (5) (6)- 



(true,£)T (false, £) _L (fAf',£)k (/V/',£)Y 



(f,£)A (f,£)tf (f,£)^(g,£) (f',£) A {f,£)# (f',£)^(g',£) 

(7) (8) 

(fAf',£)^(g,£) (fAf',£)^(g',£) 

(f,£)w (f,S)tf (f,£)^(g,£) (f',£)w </,£>0 (f',£)^(g',£) 

(9) (10) 

(fVf',£)^(g,£) (fVf,£)^(g',£) 



(11) (12)- 



(fAf',£)^(f,£) (fAf,£)^(f,£) 
(13) (14)- 



(fVf',£)^(f,£) (fVf',£)^(f',£) 
(f,£)(hn </',£> rhn 

(15) (16)- 



(fAf',£)^(f,£) (fAf',£)^(f',£) 

(f,£)^n (f',£) rhn 

(17) (18)- 



(fVf',£)^(f,£) (fVf',£)^(f',£) 

Rules (3-6) describe the axioms for decoration. The first four deduction rules (7- 
10) for — > are introduced to flatten the nesting hierarchy of the same connective. 
They can be used to deduce that X A (Y A Z) — > Y. Deduction rules 11-18 describe 
the dependencies in case there is no flattening possible anymore (by absence of 
structure). The deduction rules 11-14 deal with the case that a subformula has no 
▲ or T. Deduction rules 7-10 works for the situation that the subformula has a ▲ 
or T but that this is not caused by a recursion variable. The deduction rules 15-18 
deal with the case that the subformula represents a bound variable. 

Finally, we present deduction rules that describe how the structure of a vertex 
representing a variable is derived from the right-hand side of the corresponding 
equation. Observe that the deduction rules only have to deal with the case that 
a defining equation for the recursion variable X has been found in the Boolean 
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equation system. Deduction rules 21 and 22 define the dependency relation for the 
case that the right-hand side is a variable or a constant. Deduction rules 23 and 24 
do this for the cases it is a proposition formula that is not a variable or a constant. 

<rX = fe£ (f,£)k {/,£)$ (rX = fe£ (/,£>▼ {/,£)$ 

(19) (20) 

(X,£)k (X,£)J 

crX = fe£ --</,£)¥ --</,£)A <rX = f&£ {f,£)(hn 

(21) (22) 

(X,£)^(f,£) (X,£)^(f,£) 

crX = fe£ (f,£)^(g,£) (f,£)A (f,£) $ 



(23) 



(X,£)^(g,£) 

aX = fe£ (f,£)^(g,£) (f,£)j (/,£)$ 

(24) 

(X,£)^(g,£) 

Example 3.3. An equation system £ (see left) and its associated structure graph 
(see right). Observe that the term X A Y is shared by the equations for X and Y, 
and appears only once in the structure graph as an unranked vertex. There is no 
equation for Z; this is represented by term Z, decorated only by the label /* Z. The 
subtcrm Z V W in the equation for W does not appear as a separate vertex in the 
structure graph, since the disjunctive subterm occurs within the scope of another 
disjunction. 



liX = (X A Y) V Z 
vY = W V {X A Y) 
fiW = Z V (ZVff) 



(XAF,£)a (X,£)f3 >(Z,£) 



(Y,£) t 2 *(W,£) ▼ f 



Given a formula / and an equation system £, (f,£) denotes the part of the 
structure graph generated by the deduction rules that is reachable from the vertex 

</,£>■ 

Lemma 3.4. Let£ be an equation system. Let f, f , g and g' be arbitrary propo- 
sition formulae such that {/,£) ±± (f,£) and (g,£) ±± (g',£)- Then the following 
hold: 

(f Ag,£)i± (/' A g', £), (/V g, £) ±± (/' V g', £) 

PROOF. Suppose that bisimilarity of (/, £) and (f',£) is witnessed by R and the 
bisimilarity of (g,£) and (g',£) is witnessed by S. The relation {((/ A g,£), (f A 
g', £})} U R U S is a bisimulation relation that proves bisimilarity of (/ A g, £) and 
(/' A g', £). Similarly, {((/ V g, £), (/' V g', £})} URUS is a bisimulation relation 
that proves bisimilarity of (/ V g, £) and (/' V g', £). □ 
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The following lemma indicates that we achieved the goal that bisimilarity on 
structure graphs respects logical equivalences such as commutativity, associativity 
and a weak form of idempotence for the A and V operators. 

Lemma 3.5. Let £ be an equation system. Let f, f, and f" be arbitrary propo- 
sition formulae. Then the following hold: 

<(/A/')A/",£) ±± (/A (/'A /"),£>, 

((/V/')V/",£) ±± (/V(/'V /"),£>, 

(/A f,£) ±± (f'Af,£), 

ifVf',£) ±± (f'Vf,£), 

((/A/) A f',£) ±± (/ A /',£), 

((/V/)V/',£) ±± (/V/',£) 

Proof. The proofs are easy. For example, the bisimulation relation that wit- 
nesses bisimilarity of ((/A/') A/", £) and (f A(f Af"),£) is the relation that relates 
all formulae of the form ((g A g') A g", £} and (g A (g' A g"), £) and additionally con- 
tains the identity relation on structure graphs. Proofs of the "transfer conditions" 
are easy as well. As an example, suppose that {{g A g') A g" ,£) — > (/z, £ ) for some 
formula h. In case this transition is due to (g Ag',£)A and (g Ag',£) — > (h,£), one 
of the cases that occurs for (g Ag',£) — > (h,£) is that (g,£)k and (g, £) — > (h,£). 
We obtain (g A (g' Ag"), £ ) — > (h,£). Since (h, £) and (/z, £} are related, this finishes 
the proof of the transfer condition in this case. All other cases are similar or at 
least equally easy. □ 

Corollary 3.6. Let £ be an equation system. Let F and G be arbitrary fi- 
nite sets of proposition formulae such that (1) for all f G F there exists g G G 
with (f,£) ±± (g,£), and, vice versa, (2) for all g G G there exists f G F with 
(g, S) ±± (f, £) . Then, <|-| F, £) ±± (n G, £) and (|J F, £) i± (|J G, £) . 

Proof. The corollary follows immediately from the congruence of A and V 
(Lemma 3.4) and commutativity and associativity of those (Lemma 3.5). □ 

Idempotence of A and V, and more involved logical equivalences such as distri- 
bution and absorption are not captured by isomorphism or even bisimilarity on 
the structure graphs. The reason is that, for an arbitrary equation system £ and 
variable X, the vertex associated with (X A X,£) will be decorated by ▲, whereas 
the vertex associated with (X, £) is not! 

3.2 Translating Structure Graphs to Equation Systems 

Next, we show how, under some mild conditions, a formula and equation system 
can be obtained from a structure graph. Later in the paper this transformation 
will be used and proved correct. 

A structure graph Q = (T, t, — >, d, r /) is called BESsy if it satisfies the following 
constraints: 

— a vertex / decorated by T, _L or /~x for some X has no successor w.r.t. — K 
— a vertex is decorated by ▲ or T or a rank iff it has a successor w.r.t. — h 
— a vertex with multiple successors w.r.t. — s>, is decorated with A or T. 
— every cycle contains a vertex with a rank. 
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Observe that BESsyncss is preserved under bisimilarity: 

Lemma 3.7. Let Q and Q' be bisimilar structure graphs. Then, Q is BESsy if, 
and only if, Q' is BESsy. 

Proof. This follows immediately from the transfer conditions of bisimilarity. □ 

The following lemma states that any structure graph obtained from a formula 
and an equation system is BESsy. 

Lemma 3.8. For any formula f and equation system £, the structure graph (/,£) 
is BESsy. 

PROOF. We have to establish that the structure graph (/, £) is BESsy. Thereto 
it has to be shown that the four items of the definition of BESsyness are satisfied. 

The first one trivially follows by considering all the possibilities for generating a 
vertex labelled by either T, _L, or /\. In each case it turns out that / is of a form 
that does not allow the derivation of a -^-transition. 

The proof of the second item requires induction on the depth of the proof of 
(f,£)k, (/,£)▼, or (/, £) ftl, respectively. Inside this induction there is a case 
distinction on the deduction rule that has been applied last in the proof. 

For the proof of the third item it suffices to consider all possibilities for generating 
multiple successors and it follows easily that in these cases the vertex is also labelled 
by ▲ or T. 

The last item follows trivially from the observation that a cycle of successor 
relations can never be generated without using a bound variable along the cycle. 
This would inevitably introduce a rank for that vertex. □ 

For a BESsy structure graph Q = (T, t, — >, d, r, /) the function <p is defined as 
follows: for u E T 



<p(u) 



\~\{<p(u') | u — > u'} if d(u) = k and u £ dom(r), 

U{^( M ') u —> u '} if d{u) = ▼ and u dom(r), 

true if d(u) = T, 

false if d{u) =_L, 

X if / (m) = X, 

X u otherwise. 

The function <p introduces variables for those vertices that are in the domain of 
the vertex rank mapping or the free variable mapping. In the second case, the 
associated variable name is used. In the former fresh variable name is 

introduced to represent the vertex. For other vertices the structure that is offered 
via vertex decoration mapping d is used to obtain a formula representing such a 
structure. 

Definition 3.9. Let Q = (T, t, — >, d, r, /) be a BESsy structure graph. The equa- 
tion system associated to Q, denoted /3(G), is defined below. 

To each vertex uel such that u G dom(r) , we associate an equation of the form 

crX u — rhs(w) 

ACM Transactions on Computational Logic, Vol. V, No. N, February 2010. 



16 • Keiren, Reniers & Willemse 

Here cr is // in case the rank associated to the vertex is odd, and v otherwise. rhs(«) 
is defined as follows: 



The equation system /3(G) is obtained by ordering the equations from left-to-right 
ensuring the ranks of the vertices associated to the equations are descending. 

We next show the correspondence between a BES and the BES obtained from its 
structure graph. First, given a formula / and a BES £ , we inductively define the 
set of relevant proposition variables K £ (f) as follows: 



The set of relevant proposition variables contains exactly the variables on which /, 
interpreted in the context of £ depends in some way. As long as it is clear from the 
context, we abbreviate K £ (f) to k. 

Using such a set k of relevant variables, we can define the BES £ restricted to k, 
denoted £ K , inductively as follows: 



One can show that the number of equations in £ K is the same as the number of 
equations in /?((/,£)). 

More specifically, a solution preserving ordering of the equations in /?((/,£)) 
can be found such that each equation crY = f G £ K corresponds to the equation 



<rX {x£) = rhs«F,£» G P{ (/,£))• Assume that £ K = (cr^ = f{)...(<rj[ n = /„), 
then fi( (/,£)) = (o-iX (Zl , e> = rhs((Xi, £)))... (a n X {Xn , £) = rhs«X„,£))). Observe 



that in these equation systems, it suffices to show that the right hand sides match 
in order to find that both equation systems have the same solution. The fact that 
the right hand sides indeed match is shown by the following proposition. 

PROPOSITION 3.10. Let£ be a BES such thatcrY = f G £. Then for all environ- 
ments rj for which rj(Z) = T](X( Z ^) for all Z E bnd(£), we have \f\rj = [rhs((F, £))\r]. 

PROOF. We prove this using a distinction on the cases of rhs((F, £)). The proof 
involves a number of lemmata expressing distribution laws of <p over Boolean con- 
nectives A and V, as well as the relation between / and <p((f,£)) for arbitrary 
formulae /. These lemmata in turn require proofs involving case distinctions on 
the SOS rules, and induction on formulae. 1 □ 

x For reviewing purposes, the required lemmata, as well as a detailed proof of this proposition (as 
Proposition A. 4) can be found in the appendix. 

ACM Transactions on Computational Logic, Vol. V, No. N, February 2010. 




\~\{<p(u') | u ->• u'} tfd(u) = A 
UWW) I « -> "'} if <*(«) = ▼ 
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We can combine these results to find that evaluating a formula / in a BES £, 
and evaluating the formula <p({f,£)) in the BES /?((/,£)) are equivalent. 

Theorem 3.11. Let £ be a BES and jj an environment. Then for all formulae 

f it holds that ifiiejr, = b(</,£))M(/,£))h 

Proof. The sketch of the proof is as follows. First we restrict £ to the equations 
that are relevant for /, i.e. let k — Kg{f), then £ K and j3((f,£)) have the same fix- 
point alternations, and the equation systems can be aligned such that each equation 
crY = f e £ K is at the same position as the equation crX/jg^ = rhs((Y, £)) G /?((/, £))■ 
Note that this reordering docs not influence the solution. Furthermore, using Propo- 
sition 3.10 we find that the right-hand sides of all these equations coincide. Then 
also the bound variables in both BESses have the same solution, and hence our 
claim follows. 2 □ 

4. NORMALISATION OF STRUCTURE GRAPHS 

In BESsy structure graphs, a vertex that is decorated by a rank typically represents 
a proposition variable that occurs at the left-hand side of some equation in the 
associated equation system, whereas the non-ranked vertices can occur as subtcrms 
in right-hand sides of equations with mixed occurrences of A and V. Normalisation 
of a structure graph assigns ranks to each non-ranked vertex that has successors. 
The net effect of this operation is that the structure graph obtained thusly induces 
an equation system in simple form. In choosing the rank, one has some degree 
of freedom; an effective and sound strategy is to ensure that all equations in the 
associated equation system end up in the very last block. This is typically achieved 
by assigning as a rank. 



tk tf t-> t' 

(25) (26) (27) 

norm(f)A norm(f)V norm(f) — )• norm(f') 

tT t _L t /■x 

(28) (29) (30) 

norm(f)T norm(?) _L norm(f) /x 

t rh n tftt-tt 1 
(31) (32) 



norm(f) rh n norm(f) rh 

The last deduction rule expresses that in case a vertex t does not have a rank, 
rank is associated to the normalised version of f, provided, of course, that the 
vertex has a successor. Observe that normalisation preserves BESsyness of the 
structure graph, i.e., any BESsy structure graph that is normalised again yields a 
BESsy structure graph. 

Property 4.1. Let t be an arbitrary BESsy structure graph. 

(1) </;(norm(/)) e X U {true, false} ; 

2 For reviewing purposes a more detailed version of the proof is included as Theorem A. 7 in the 
appendix. 
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(2) j6(norm(f)) is in simple form; 

(3) norm(norm(f)) ±± norm(f). 



The lemmata below formalise that the solution to an equation system that is 
induced by a BESsy structure graph, is preserved and reflected by the equation 
system associated to the normalised counterpart of that structure graph. 



Lemma 4.2. Let t be a BESsy structure graph. Then, there is a total injective 
mapping h : bnd(j3(r)) — > bnd(/?(norm(f))) ; such that for all n: 

VX e bnd08(O) : WM^) = ]/3(nor m (t))]ti(h(X)) 

Proof. Observe that for each ranked vertex u in f, vertex norm(M) has the same 
rank in norm(f). Following Definition 3.9, these vertices both induce equations in the 
equation systems that appear in the same block of identical fixed point equations. 
All unranked vertices u' in t that are ranked in norm(f), induce v-equations at the 
end of the equation system induced by norm(f). References to these latter equations 
can be eliminated, following [Mader 1997, Lemma 6.3]. □ 



Lemma 4.3. Let t be a BESsy structure graph. Then, for all tj: 



l<p{t)W(t)h = b(norm(0)]^(norm(/))] J 7 
Proof. Follows from Lemma 4.2. □ 



The example below illustrates an application of normalisation, and it provides a 
demonstration of the above lemmata and its implications. 



Example 4.4. The BESsy structure graph depicted at the left contains a single 
vertex that is not decorated with a rank. Normalisation of this structure graph 
yields the structure graph depicted at the right. Assuming that vertex t is the root, 
fi(t) is as follows: 

(jjX„ = (X u A (X w A X w )) V (X v V X v )) 
(vX w = (X u A (X w A X w )) V (X x V X x )) 
(jxX v = X v ) 

(jxX x =X v V(X x VX x )) 

/?(norm(f)) has similar top-level logical operands as /3(f), but contains an extra 
greatest fixed point equation trailing the other four, and references to this equation: 



(M^norm(w) — ^norm(() V LY n orm(v) VX norm (,))) 
( y ^norm(w) = ^norm(() V (^normO) V ^norm(x))) 
(/i^norm(v) ^norm(v)) 

(/^^norm(x) = ^norm(v) V {X n orm(x) V X nom (x))) 
( v ^norm(() = ^norm(u) A (X norm ( M ) AX norm ( M ))) 
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u T 3 



norm(f) a norm(M) t 3 




w t 2 



v 1 







norm(w) ▼ 2 



norm(v) 1 



x ▼ 1 

u 



norm(x) ▼ 1 



According to Lemma 4.2, there is an injection h : bnd(/3(f)) — > bnd(/?(norm(f))), such 
that for all X G bnd(/3(f)), we have l/3(t)j(X) = fyS(norm(f))](/z(X)); h(X z ) = X norm{z) 
for z G {m, v, w, x} is such an injection. Following Lemma 4.3, we furthermore find 
y(t)W(t)l = lX u AX w mt)] = [X norm(0 ]|8(norm(0)] = [^(norm( f ))] ^(norm(f))] . 

The below theorem states that bisimilarity on structure graphs is a congruence 
for normalisation. Ultimately, this means that the simple form is beneficial from 
a bisimulation perspective: normalisation leads to smaller quotients of structure 
graphs. This addresses the hitherto open question concerning the effect of normal- 
isation on the bisimulation reductions of [Keiren and Willemse 2009] . 

Theorem 4.5. Let t,t' be arbitrary, but bisimilar structure graphs. Then also 
norm(f) ±± norm(f'). 

Proof. Let R be a bisimulation relation witnessing t ±± t' . We define the rela- 
tion R„ as {(norm(M), norm(M')) | (u,u r ) G R}. Then R n is a bisimulation relation 
witnessing norm(f) j± norm(f'). □ 

Finally, we show that normalisation is in fact sometimes beneficial for bisimilarity. 

Example 4.6. Consider the labelled transition system L given below. 




Let <p — vX.[a]XA (b)X. Consider the equation system E L (^) given below, together 
with its associated structure graph: 



(vX S0 = (X S2 AX S2 ) A (X S0 V (X S1 VXJ)) 
(vX Sl = true A (X So V {X S2 VXj)) 
(vX S2 = true A (X So V (X Sl VXj)) 
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(X S0 V(X S2 VX S2 ),£) j 




(true,£) T 



Observe that the above structure graph can be minimised with respect to bisim- 
ilarity, identifying vertices (X Sl ,£) and (X S2 ,£), as well as (X So V (X Sl V X Sl ),£) and 
(X So V (X S2 V X S2 ),£). Normalising the above structure graph adds the label rtl to 
vertices (X So V (X Sl V X Sl ),£) and (X So V (X S2 V X S2 ),£), leading to the minimised 
normalised structure graph below: 



norm((X. S0 ,£)) /±± AO norm((X Jo V (X Sl V X Sl ), £)), TO norm((X Jl , £», ^ AO 




norm((true, £)) 



/±± 



The above structure graph induces the following equation system: 

(vXnorm({X, ,£)) /±± = X n orm((X S0 V(X n VX n ),S)), „ A (Xnorm((X sl ,£)), „ A X norm « Xjijl£ )) /±± )) 
(^norm((X sl ,£)) /±± = -^norm((X S0 V(X S1 VX S1 ),S)), „ A (true A true)) 

(^norm«X, !0 V(X., 1 VX, 1 ),£)), „ = ^norm«Jf., ,£) ), „ V (X norm(<Xii >£ ) }/ ^ V X norm ( <Xji jf )) / ^ )) 

The size of £ is 26. By comparison, the size of the equation system induced by 
the minimised normalised structure graph is 18; one can easily check to see that 
the equation system induced by the non-normalised minimised structure graph is 
larger than 18. Hence this example illustrates that |E L (0) ±± | > |SRF(E L (0)) ^ |, 
showing that transforming to SRF may be beneficial to the minimising capabilities 
of bisimulation. 

5. BISIMILARITY IMPLIES SOLUTION EQUIVALENCE 

In this section we state one of our main results, proving that equation systems cor- 
responding to bisimilar BESsy structure graphs essentially have the same solution. 
This allows one to safely use bisimulation minimisation of the structure graph, and 
solve the equation system induced by the minimal structure graph instead. Before 
we give our main theorem, we first lift some known results for equation systems, see 
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e.g. [Mader 1997; Keinanen 2006; Keiren and Willemse 2009], to structure graphs. 

Definition 5.1. Let (T, t, — >,d, r, /*) be a structure graph. A partial function 
y.T i-> T is a •-choice junction, with • 6 {A, T}, when both: 

dom(y) = {u e T = • A u — >}; 

— m y(w) for all u G dorr^y). 

Given a •-choice function y, with • G {A, T}, for a structure graph, we can obtain 
a new structure graph by choosing one successor among the successors for vertices 
decorated with a •, viz., the one prescribed by y. This is formalised next. 

Definition 5.2. Let Q — (T,t,^,d, r, /*) be an arbitrary structure graph. Let 
• £ {A, T}, and y a "-choice function. The structure graph Q 7 , obtained by applying 
the »-choice function y on C?, is defined as the six-tuple (T,t,—^ y ,d y ,r, / A ), where: 

— for all u $l dom(y), u — )- y u' iff u — > w'; 

— for all w € dom(y), only u — > r 

— c/ r (f) = <i(?) and dom((f r ) = {m | J(m) / •} 

Observe that a structure graph obtained by applying a A-choice function entails a 
structure graph in which no vertex is labelled with A. Similarly, applying a T-choicc 
function yields a structure graph without T labelled vertices. 

Property 5.3. Let t be an arbitrary BESsy structure graph. Assume an arbi- 
trary • -choice junction y on t. Then norm(f) y is again BESsy. 

The effect that applying, e.g., a A-choice function has on the solution to the 
equation system associated to the structure graph to which it is applied, is charac- 
terised by the proposition below. This result is well-known in the setting of equation 
systems, see, e.g. [Mader 1997]. 

Proposition 5.4. Let t be a normalised, BESsy structure graph, with no vertex 
labelled /• . 

(1) For all k-choice functions y applied to t, we have |6(f)] C |6(f y )]; 

(2) There exists a A-choice function y, such that \P(t)\ = ||yS(f r )]. 

(3) For all T -choice functions y applied to t, we have |6(f)] 3 |S(f r )]; 

(4) There exists a ▼ -choice function y, such that []/?(/)] = Hy6(f r )]- 

PROOF. Follows immediately from [Mader 1997, Proposition 3.36], and the cor- 
respondence between structure graphs an Boolean Equation Systems. □ 

In some cases, viz., when a structure graph is void of any vertices labelled T or void 
of vertices labelled A, the solution of an equation system associated to a structure 
graph can be characterised by the structure of the graph. While one could consider 
these to be degenerate cases, they are essential in our proof of the main theorem in 
this section. A key concept used in characterising the solution of equation systems 
in the degenerate cases is that of a v-dominated lasso, and its dual, //-dominated 
lasso. 
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Definition 5.5. Let t be a BESsy structure graph. A lasso starting in t is a finite 
sequence t , t\, ?„, satisfying t = t, t„ = tj for some j < n, and for each 
1 < i < n, ti-i — > ti. A lasso is said to be v-dominated if max{r(/,) | j < i < n) is 
even; otherwise it is //-dominated. 

The following lemma is loosely based on lemmata taken from Kcinanen (see 
Lemmata 40 and 41 in [Keinanen 2006]). 

Lemma 5.6. Let t be a normalised, BESsy structure graph in which no vertex is 
labelled with /*. Then: 

(1) if no vertex in t is labelled with k then [y(f)l [/6(f)] = true iff some lasso starting 
in t is v-dominated, or some maximal, finite path starting in t terminates in a 
vertex labelled with T; 

(2) if no vertex in t is labelled with T then \<p{t)\\f}{t)\ = false iff some lasso starting 
in t is ^.-dominated, or some maximal, finite path starting in t terminates in a 
vertex labelled with _L 

Proof. We only consider the first statement; the proof of the second statement 
is dual. Observe that since no vertex in t is labelled with A, ip(u) ^ | . . . , u n } 
for all u. We distinguish two cases: 

(1) Assume there is a v-dominated lasso t Ji, ■ ■ ■ ,t n , starting in t. BESsyness of 
t implies that there is a ranked vertex ti on the cycle of the lasso. Without 
loss of generality assume that /,■ has the highest rank on the cycle of the v- 
dominated lasso. By definition, this highest rank is even. This means that it 
induces an equation vX n — gi in (3(t), that precedes all other equations <rX tt = g^ 
induced by the other vertices on the cycle. Consider the path snippet starting 
in ti, leading to f; again: ti, f, + i, . . . , t n -\, tj, tj +1 , f,_i. Gauss elimination [Mader 
1997] allows one to substitute for X tj+1 in the equation for X ti , yielding 
vX tj = gi[X tj+1 := gi+i]. Repeatedly applying Gaufi elimination on the path 
snippet ultimately allows one to rewrite vX ti = gi to vX ti — g[ V X tn since 
X tt _ 1 depends on X tt again. The solution to vX tj = g\ VX (j is easily seen to be 
X tj = true. This solution ultimately propagates through the entire lasso, and 
back to f, leading to ip{t) = X, = true. 

(2) Suppose there is a finite path f , t\,...,t n starting in f, where t n is labelled with 
T. This means that there is an equation crX ln = true on which X, depends. As 
the equation crX, n = true is solved, we may immediately substitute the solution 
in all other formulae on the path. As none of the formulae are conjunctive, we 
find (p(t) = true. 

Conversely, observe that due to Proposition 5.4, there is a structure graph f T , void 
of any vertices labelled ▼, that has an equation system associated to it with solution 
equivalent to that of the equation system associated to t. This means that tj has 
no branching structure, but is necessarily a set of lassoes and maximal, finite paths. 
In case the root of t is on a lasso, [v?(0J I/KOJ = true i s because the cycle on the 
lasso has an even highest rank. In the other case, [^(f)]I/K f )] = true can only be 
the case because ultimately f T leads to a vertex labelled true. □ 

Using the structure graph characterisation of solution, we prove that for BESsy 
structure graphs that do not have vertices labelled with and in which all vertices 
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not labelled with T or 1 have a rank, bisimulation minimisation of the structure 
graph preserves the solution of the associated BES. 

Lemma 5.7. Let t, t' be normalised BESsy structure graphs in which no vertex is 
labelled with /■ . Assume t is minimal w.r.t strong bisimilarity. Then t j± t' implies 

Proof. The case where the root of t is decorated with a T or 1 is trivial and 
therefore omitted. Assume that the root of t is not decorated with T nor _L. By 
Proposition 5.4 we know that there is a T-choice function y such that [j8(f r )] = 
|y6(f)]. Wc next construct a T-choice function y' for t' that satisfies the following 
condition: 

Vm G dom(y), u' £ dom(y') : u±±u' ==> y(u)±±y'(u) 

Observe that we have t 7 ±± t 7 >, as the choice for successors chosen in previously 
bisimilar T-labellcd vertices are synchronised by the ▼-choice function. Because of 
this bisimilarity and the finiteness of t' , any v-dominated lasso starting in a vertex u 
reachable in t implies the existence of a similar v-dominated lasso starting in vertices 
u' reachable in /' that are bisimilar to m, and, of course, also vice versa. Likewise for 
maximal finite paths. Suppose the root vertex of t y has only v-dominated lassoes 
and finite maximal paths ending in T-labelled vertices. Then so has t' yl . This means 
that 

l<P(t)W(t)l = MhWih)] =t true = W yl )\W 7 >)\ W)\W)\ 

At t, we used Lemma 5.6 and at *, we used Proposition 5.4 to conclude that the 
equation system associated to t' y , has a smaller solution than the one associated to t' . 
The case where [y(f)l l/3(t)j = false follows the same line of reasoning, constructing a 
structure graph with a A-choice function y, resulting in a structure graph containing 
no vertices labelled ▲. □ 

We set out to prove that bisimilar structure graphs t and t' always give rise to 
equation systems and formulae with the same truth value. The above lemma may 
seem like a roundabout way in proving this property. In particular, the assump- 
tion in Lemma 5.7 that t is minimal with respect to bisimilarity may seem odd. 
The reason for using the quotient is due to our appeal to the non-constructive 
Proposition 5.4, as we illustrate through the following example. 

Example 5.8. Consider the two bisimilar BESsy structure graphs t and t' below: 
t ▼ 1 v ▼ 1 t' ▼ 1 




W 2 w ' 2 

Following Lemma 5.6, we know that all vertices will be associated to proposition 
variables with solution true, as both structure graphs are normalised and contain no 
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A-labelled vertices. Appealing to Proposition 5.4, we know that there is a structure 
graph ty that gives rise to an equation system with the same solution as the one 
that can be associated to t. In fact, there are three choices for f T : 

t 1 ^ v 1 tl v 1 t 1 v 1 




w 2 w 2 w 2 

t) u u 

Note that all three structure graphs are associated to equation systems with the 
same solution as the equation system for t. However, while the middle structure 
graph would allow us to construct a T-choice function that resolves the choice for 
successors for vertex the other two structure graphs do not allow us to do so, 
simply because they have bisimilar vertices whose only successor leads to different 
equivalence classes. Such conflicts do not arise when assuming that t is already 
minimal, in which case each vertex represents a unique class. 

Regardless of the above example, we can still derive the desired result. Based on 
the previous lemma, the fact that bisimilarity is an equivalence relation on structure 
graphs and the fact that quotienting is well-behaved, we find the following theorem, 
which holds for arbitrary BESsy structure graphs. 

Theorem 5.9. Let t,t' be arbitrary bisimilar BESsy structure graphs. Then for 
all environments n, l<p{t)jl/3(t)ji] = [^(f')l [/St/)] 7 ?- 

Proof. Let n be an arbitrary environment. Let 7 and 7 be the structure graphs 
obtained from / and t' by replacing all decorations of the form /* x of all vertices 
with T if n(X) = true, and _L otherwise. Note that we have 7 ±± 7 . Based on 
Lemma 2.7 and Definition 3.9, we find: 

Likewise, we can derive such an equivalence for f and t' . By Lemma 4.3, we find: 

Ml)W(m = b(norm(f))]^(norm(7))l 

Again, a similar equivalence can be derived for f and norm(f'). Observe that 
by Theorem 4.5, we find that t ±±t implies norm(f) ±± norm(f'). Observe that 
norm (7) i± norm (7)/^ ±± norm (7'). Finally, since all three are still BESsy structure 
graphs, that furthermore do not contain vertices labelled with we can apply 
Lemma 5.7 twice to find: 

Hnorm(7))Mnorm(7))J 
= [^(norm(7) /±± )]|6(norm(7) /±± )l 
= Hnorm(7'))]^(norm(7'))] 

But this necessitates our desired conclusion: 

MOM')] = 

□ 
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6. BISIMILARITY ON PROCESSES VS BISIMILARITY ON STRUCTURE GRAPHS 

The //-calculus and bisimilarity of labelled transition systems are intimately re- 
lated: two states in a transition system are bisimilar iff the states satisfy the same 
set of yu-calculus formulae. As a result, one can rely on bisimulation minimisa- 
tion techniques for reducing the complexity of the labelled transition system, prior 
to analysing whether a given /i-calculus formula holds for that system. Unfortu- 
nately, in practice, bisimulation reductions are often disappointing, and have to be 
combined with safe abstractions in order to be worthwhile. 

We show that minimising an equation system that encodes a model checking 
problem is, size- wise, always at least as effective as first applying a safe abstraction 
to the labelled transition system, subsequently minimising the latter and only then 
encoding the model checking problem in an equation system. An additional example 
illustrates that bisimulation minimisation for equation systems can in fact be more 
effective. 

Lemma 6.1. Assume L = (S,Act,^) is an arbitrary labelled transition system. 
Let </> be an arbitrary formula. Then, for arbitrary equation system £, we have: 

if Vj, s' G S : s f± s' VX G bnd(» U occ(» : (X s , £) ±± (X' s , £) 
thenVs,s' eS : s±±s' (RHS,(0), £) ±± (RHS S > (4>), £) 

PROOF. Assume a given equation system £ . We proceed by means of an induc- 
tion on the structure of (p. 

— Base cases. Assume that for all s, s' G S , satisfying s ±± s', and all X G bnd(0) U 
occ(0), we have (X s ,£) ±± (X s >,£). Assume that t, t' G S are arbitrary states 
satisfying tj±t l . 

-ad0 = b, where b G {true, false}. Clearly, (RHS,(0),£) = (b,£) = (RHS,< (#),£), 
so bisimilarity is guaranteed by unicity of the term, regardless of the states t 
and f'; 

— ad (p = X. Clearly, X G occ(0), so, the required conclusion follows immediately 
from the fact that (RHS,0),£) = (X„£) j± (X f ,£) = (RHS f ($),£); 
— Inductive cases: we assume the following induction hypothesis: 

if Vs, s' eS : s<±s' => VX G bnd(^) U occ(^) : (X s , £) j± (X s ,,£) . . 
then Vj.s 7 G S : s±±s' =^ {RHS s (fi),£) ±± (RHS 5 - {£),£) { ' 

From hereon, assume that we have a pair of bisimilar states t, t 1 G S . 

— ad (p = fi A fi . Assume that for any pair of bisimilar states s, s' G S , and 
for all X G bnd(/i A f 2 ) U occ(/i A / 2 ) = (bndC/k) U occ(/i)) U (bnd(/ 2 ) U 
occ(/2)), we have (X s ,£) ±± (X s >,£). By our induction hypothesis, we have 
(RHS,(/i),£) ±± (RHSf (/!),£) and (RHS,(f 2 ),£) ±± (RHS^(/ 2 ),5). Lemma 3.4 
immediately leads to (RHS,(/i) A RHS,(/ 2 ), £) ±± (RHS^(/i) ARHS t /(/ 2 ),f). By 
definition of RHS, we have the required (RHS t (/i Af 2 ),£) ±± (RHS,<(/i /\fo),£). 

— ad (f> = fi V/ 2 . Follows the same line of reasoning as the previous case. 

— ad cp = [A)fi . Assume that for all pairs of bisimilar states s, s' G S , and all 
X G bnd([A]/i) U occ([A]/i) = bnd(/i) U occ(/i), we have (X„£) ±± {X s >,£). 
By induction, we find that (RHS. s (/i), £) ±± (RHS s '(fi),£) holds for all pairs 
of bisimilar states s, s' G S . This includes states t and t'. Since t and t' are 
bisimilar, we have f A iff (' A for all a G A. We distinguish two cases: 
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(1) Case t A for any a G A. Then also t 1 A for any a G A. Hence, 
RHS,([A]/i) = true = RHS/< ([A]/i). We thus immediately have the re- 
quired (RHS r ([A]/i),£) ±± <RHS,([A]/i),£>; 

(2) Case t —> for some a G A. Assume that f A m. Since t ±± t' , we have 
t' —> u' for some u' G 5 satisfying u±±u' (and vice versa). Because of our 
induction hypothesis, we then also have (RHS„(/i),£) ±± (RHS„'(/i),£) 
(and vice versa). We thus find that for every term in the non-empty set 
{(RHS„(/i), £)) a G A,t A u}, we can find a bisimilar term in the set 
{(RHS 1( '(/i),£ ) a G A,f A m'} and vice versa. Then, by Corollary 3.6, 
also (n{RHS„(/i) | a G A,t A u},£) ±± (\~\{RHS U > (ft) | a G Aj A «'},£). 
This leads to (RHS,([A]/i),£) i± (RHS,<([A]/i),£). 

Clearly, both cases lead to the required conclusion. 
— ad (p = (A)fi- Follows the same line of reasoning as the previous case. 
— ad (p = crX. ft. Since X G bnd (</>), this case follows immediately from the 

assumption on X and the definition of RHS. 

□ 

The above lemma is at the basis of the following proposition: 

Proposition 6.2. Let L = (S,Act,^) be a labelled transition system. Let (p be 
an arbitrary closed ^.-calculus formula. Let s, s' G S be an arbitrary pair of bisimilar 
states. We then have: 

VX G bnd(0) : (X„ E L (0)) ±± (X,, E L (0)) 

PROOF. Let <p be an arbitrary closed formula, i.e., occ(0) C bnd(0); since (p is 
a closed formula, E L (0) will be a closed equation system. In case bnd(0) = 0, the 
statement holds vacuously. Assume bnd(0) = {X 1 , . . . ,X n }, for some n ^ 1. Clearly, 
for each variable X' G bnd(0), we obtain equations of the form cr ( X] = RHS. S (/') in 
E £ (0). Let / be the relation on vertices, defined as follows: 

/={((Xj,E L (0)),(Xj„E L (0))) | s,s' eS, X ! Gbnd(<*),* ±±s'} 

According to Lemma 6.1, / underlies the bisimilarity between (RHS. S (/'), E L (0)) 
and (RHS S '(f'),E L ((/>)) for pairs of bisimilar states s, s' G S. Assume Rf is the 
bisimulation relation underlying said equivalence. Let R be defined as follows: 

R = Iu{jR fl 

f 

R is again a bisimulation relation, as can be checked using the SOS rules for equa- 
tions and Lemma 6.1. Clearly, R relates (X s ,E L ((f>)) and (X s i ,E L (<p)) for arbitrary 
X G bnd(0) and bisimilar states s, s' G S . □ 

As a result of the above proposition one can argue that bisimulation on processes 
is less powerful compared to bisimulation on equation systems. However, one may 
be inclined to believe that combined with abstraction, bisimilarity on processes can 
lead to greater reductions. Below, we show that even in the presence of safe ab- 
stractions, bisimilarity on equation systems still surpasses bisimilarity on processes. 
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We first formalise the notion of safe abstraction for processes. Assume t is a 
constant, not present in any set of actions Act. 

Definition 6.3. An abstraction of a labelled transition system L = (S,Act,^) 
with respect to a set of actions A C Act, is the labelled transition system L A = 
(S, Act U{t},~> A ), where: 

— for all actions a £ A, s A a s 1 iff s A s'; 
— s — >a s' iff s A / for some a £ A; 

In effect, an abstraction relabels an action that decorates a transition to t only if 
that action appears in the set A. Clearly, if s +± s' holds in L, then also s ±± s' in 
La, but the converse does not hold necessarily. 

Definition 6.4. An abstraction L A of L is said to be safe with respect to a closed 
modal /i-calculus formula <p iff for each subformula [A']i[/ and (A')i// of (p, A' C\A = 0. 

It follows from the semantics of the modal yU-calculus that all actions of some L, 
disjoint with the actions found inside the modalities in (p can be renamed to r 
without affecting the validity of the model checking problem. 

Proposition 6.5. Let L = (S,Act,^) be a labelled transition system. Let (p be 
a closed modal ^-calculus formula, and assume L A is a safe abstraction of L. Then 
for each state s G S , we have L,s \= <f> iff La, s \= <f>. 

The below theorem strengthens the result we obtained in Proposition 6.2, by stating 
that even in the presence of safe abstractions, bisimilarity for equation systems are 
as powerful as bisimilarity taking abstractions into account. 

Theorem 6.6. Let L = (S,Act,^) be an arbitrary labelled transition system. 
Let cp be an arbitrary closed modal ^-calculus formula over Act. Then for every safe 
abstraction La of L, we have for every pair of bisimilar states s, s' G S in La : 

\/X G bnc!(0) : (X s , E L (») ±± (X s ,, E L (») 

Proof. The proof is similar to the proof of Proposition 6.2. In particular, it 
relies on the definition of a safe abstraction to ensure that (RHS s ([A']i^), £) and 
(RHS S ' ([A']i^), £} for states s, s' that are bisimilar in La, but not in L, are mapped 
onto (tme,£) for both LTSs. □ 

Lastly, we provide an example that demonstrates that bisimulation reduction of 
equation systems can lead to arbitrarily larger reductions compared to the reduc- 
tions achievable through safe abstractions and minimisation of a given LTS. This 
provides the ultimate proof that bisimilarity for equation systems surpasses that 
for processes. 

Example 6.7. Let be an arbitrary positive number. Consider the process de- 
scribed by the following set of recursive processes (using process algebra style no- 
tation): 

{P 1 = a ■ Q N , P„+i = a ■ P n , Qi=b- P N , Q n+1 = b ■ Q n \ n < N} 

Process Pn induces an LTS L that performs a sequence of a actions of length Af, 
followed by a sequence of b actions of length Af, returning to process Pn- Observe 
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that the process Pn cannot be reduced further modulo bisimulation. Let <p be 
the modal ^-calculus formula <$> = vX. ({a, b})X, asserting that there is an infinite 
sequence consisting of a's, b's, or a's and fo's. Clearly, there is no safe abstraction 
of process Pn with respect to (p, other than process Pn itself. The equation system 
E />A '(0) is as follows: 

v{(X Pl = X Qn V X Qn ), (X Pn+1 = X Pn V X Pn ), 

(X Ql = X Pn V X Pn ), (X Qn+1 = X Qn V X Qn ) \n<N} 

We find that {X Pn , E p "(0)} and (Y, (vY = Y\/Y)) are bisimilar, which demonstrates a 
reduction of a factor 2N. As the labelled transition system can be scaled to arbitrary 
size, this demonstrates that bisimilarity for equation systems can be arbitrarily 
more effective, i.e. |E L/ ±± (0)| > E L (^)/ <_> |. 

7. APPLICATION 

Equation systems that are not immediately in simple form can be obtained through 
the reduction of process equivalence checking problems such as the branching bisim- 
ulation problem, see e.g. [Chen et al. 2007], and the more involved model checking 
problems. As a slightly more involved example of the latter, we analyse an un- 
reliable channel using /i-calculus model checking. The channel can read messages 
from its environment through the r action, and send or lose these next through 
the s action and the / action, respectively. In case the message is lost, subsequent 
attempts are made to send the message until this finally succeeds; this is achieved 
through some internal system behaviour modelled by action ;. The labelled transi- 
tion system, modelling this system is given below. 



r i 




* I 



Suppose we wish to verify for which states it holds whether along all paths con- 
sisting of reading and sending actions, it is infinitely often possible to potentially 
never perform a send action. Intuitively, this should be the case in all states: from 
states so and «i, there is a finite path leading to state si, which can subsequently 
produce the infinite path (s± S2)", along which the send action does not occur. For 
state «2, we observe that there is no path consisting of reading and sending actions, 
so the property holds vacuously in s 2 . We formalise this problem as follows: 3 

ee vX. nY. (([{r, s}]X A (vZ. (l)Z)) V [{r, s}]Y) 

Verifying which states in the labelled transition system satisfy <p is answered by 
solving the below equation system. Note that the equation system was obtained 



^Alternative phrasings are possible, but this one nicely projects onto an equation system with 
non-trivial right-hand sides, clearly illustrating the theory outlined in the previous sections in an 
example of manageable proportions. 
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through Definition 2.8. The solution to X Sj answers whether s,- |= 0. 

(yx S0 = yj 
(yx S2 = y S2 ) 

{fiY S0 = ((X S1 A X S1 ) A Z Sa ) V ((Y Sl A Y Sl ) V (Y Sl A Y Sl ))) 
(MY S1 = ((X S0 A X S0 ) A Z S1 ) V ((Y S0 A Fj V (7 So A Y So ))) 
{jjY S2 = (true A Z S2 ) V true) 
(vZ, =Z S1 VZJ 
(vZ^ = Z. S2 VZ S2 ) 
(vZ S2 = Z S1 VZ S1 ) 

An answer to the global model checking problem would be encoded by the structure 
graph (X so AX n AX n , E L ((f>)). We here only depict the structure graph encoding the 
local model checking problem s \= <f>, encoded by the structure graph (X So , E L ((p)), 
which has root 1 1 . Note that the ranked vertices originate from the z'-th equation 
in the equation system. Likewise, the unranked vertices originate from the right- 
hand side of the z'-th equation. 



U4 A >- 1 7 




t 2 2 r 4 ▼ 1 < 1 1 2 f 8 tg 




h ▼ 1 »■ «5 A 



Observe that we have h ±±t%, tj ±± fg ±± tg, t± ±± t$ and U4 ±± u§. Minimising the 
above structure graph with respect to bisimulation leads to the structure graph 
depicted below: 

a a 

ti /±± 2 >t*i±± vl >U2/ ±± A >hj t± 




Note that the structure graph is BESsy, and, hence, admits a translation back to 
an equation system. Using the translation provided in Definition 3.9 results in the 
following equation system: 

(vX h/i± =X ti/t± ) 

(jtX til±± ={X, V±± A(X tl/±± AX tll±± ))V(X t4/±± VX, 4) J) 
(vX t7/±± =X t7lt± ) 

Answering the verification problem so \= (§> problem can thus be achieved by solving 
3 equations rather than the original 9 equations. Using standard algorithms for 
solving equation systems, one quickly finds that all equations of the minimised 
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equation system (and thereby most of the equations from the original equation 
system they represent) have true as their solutions. Note that the respective sizes 
of the equation systems are 52 before minimisation and 14 after minimisation, which 
is almost a 75% gain; even when counting only the required equations in the original 
equation system, one still has a 65% gain. Such gains appear to be typical in this 
setting (see also [Keiren and Willemse 2009]), and surpass those in the setting of 
labelled transition systems. Similar gains are found for the global model checking 
problem. Observe, moreover, that the original labelled transition system already 
is minimal, demonstrating once more that the minimisation of an equation system 
can be more effective than minimising the original labelled transition system. 

8. CLOSING REMARKS 

Summary. We presented a set of deduction rules for deriving structure graphs 
from proposition formulae and Boolean equation systems, following the regime 
of [Plotkin 2004]. In defining these rules, we focused on simplicity. We carefully 
selected a small set of computationally cheap logical equivalences that we wished to 
be reflected by bisimilarity in our structure graphs, and subsequently showed that 
we met these goals. 

Structure graphs generalise the dependency graphs of e.g. [Mader 1997; Keinanen 
2006]. The latter formalism is incapable of capturing all the syntactic riches of 
Boolean equation systems, and is only suited for a subset of closed equation systems 
in simple form. A question, put forward in [Keiren and Willemse 2009] , is how these 
restrictions affect the power of reduction of strong bisimulation. In Section 4, we 
showed that these restrictions are in fact beneficial to the identifying power of 
bisimilarity. This result follows immediately from the meta-theory for structured 
operational rules, see e.g. [Mousavi et al. 2005]. We furthermore proved that also 
in our richer setting, bisimulation minimisation of a structure graph, induced by an 
equation system, preserves and reflects the solution to the original equation system. 
This generalises [Keiren and Willemse 2009, Theorem 1] for dependency graphs. 

Beyond the aforementioned results, we studied the connection between bisimi- 
larity for labelled transition systems, the /i-calculus model checking problem and 
bisimilarity for structure graphs. In Section 6, we showed that bisimulation minimi- 
sation of a structure graph (associated to an equation system encoding an arbitrary 
model checking problem on an arbitrary labelled transition system) is at least as 
effective as bisimulation minimisation of the labelled transition system prior to the 
encoding. This relation even holds when bisimilarity is combined with safe abstrac- 
tions for labelled transition systems. We moreover show that this relation is strict 
through an example formula <p and a labelled transition system L of 2N (N ^ 1) 
states that is already minimal (even when considering safe abstractions with respect 
to 0), whereas the structure graph induced by the equation system encoding the 
model checking problem can be reduced by a factor 2N. These results provide the 
theoretical underpinning for the huge reductions observed in [Keiren and Willemse 



Outlook. The structure graphs that we considered in this paper are of both the- 
oretical and practical significance. They generalise various graph-based models, 
including the aforementioned dependency graphs, but also Parity Games [Ziclonka 
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1998], and there are strong links between our structure graphs and Switching 
Graphs [Groote and Ploeger 2009]. Given these links, a game-based characteri- 
sation of the concept of solution for equation systems, stated in terms of our choice 
functions and structure graphs is open for investigation. In general, we consider 
studying equivalences weaker than bisimilarity for structure graphs to be worth- 
while. For instance, it is not immediately clear whether the idempotence-identifying 
bisimilarity of [Keiren and Willemse 2009] , which weakens some of the requirements 
of strong bisimilarity while preserving and reflecting the solution of the equation 
system, carries over to structure graphs without significant modifications. Fur- 
thermore, it would be very interesting to study variations of stuttering equivalence 
in this context, as it is one of the few equivalence relations that allow for good 
compression at favourable computational complexities. 

A thorough understanding of the structure graphs, and the associated notions of 
bisimilarity defined thereon, can also be seen as a first step towards defining similar- 
spirited notions in the setting of parameterised Boolean equation systems [Groote 
and Willemse 2005]. The latter are high-level, symbolic descriptions of (possibly 
infinite) Boolean equation systems. The advantage of such a theory would be that it 
hopefully leads to more elegant and shorter proofs of various PBES manipulations 
that currently require lengthy and tedious (transfinitc) inductive proofs. 
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A. DETAILED PROOFS AND ADDITIONAL LEMMATA 

Lemma A.l. Let f,g be formulae, £ a BES, and n an arbitrary environment, 
then we have the following semantic equivalences: 

l<p((f,£))A<p((g,£))]n = l<p((f^8,£))h 

[<p({f,£))v<p({g,£))]Ti = y((fvg,£))h 

PROOF. We prove the first statement. Proof of the second statement is com- 
pletely symmetric. 

We first prove the implication {<p((f A g, £))}n =>■ {ip((f,£)) Aip({g,£})ln. We use 
induction on the structure of <p((f Ag,£)): 

—case (p((f Ag,£)) = \~\{<p(u') \{fAg,£)-> u'}. It follows that d{{f Ag,£)) = k 
and (f Ag,£) g dom(r). As d((f A g, £)) — k and (/ A g, £) is BESsy, there must 
be at least one u' such that (/ Ag,£) — > u'. 

We need to show that for each conjunct u' G {<p(u') \ (f A g, £) — > u'} cither 
«' G M«") I </.£} -»• «"} or u' G {<f(u") | (g,£) «"}, or «' - ?((/,£)), or 
w' = <p((g,£)). Let m' be an arbitrary conjunct in {<p(u') \ (f Ag, £) — > u'}. So we 
know (/ A g, £) — > u' . We apply case distinction on the inference rules that can 
introduce this edge. 

— (/ A g,£) — > u' is introduced through rule (7). Then we may assume that 
d((f,£)) = A, (/, £) dom(r) and (/, £) — > u' . According to the definition of 
<p we find that ip((f,£)) — n{ip(u") \ (f,£) — > u"}. Hence by induction we find 
that u' is a conjunct of <p((f,£)). As <p((f,£)), every conjunct of this formula 
is also a conjunct of <p((f Ag,£)). 

— (/ A g, £ ) — > u' is introduced through rule (8). This case is analogous to the 
previous case. 

— (f hg,£) — > u' is introduced through rule (11). We may assume that -i(f,£) ▲. 

Therefore, u' = (f,£), and the corresponding formula is <p((f,£)). 
— The cases where (/ A g, £ ) — > u' is introduced through rules (12), (15) or (16) 

are analogous to the previous case. 

— case (p((f Ag,£)) = \_\{<fi{{)u') | (f Ag,£ ) — > u'}. According to rule (5) it must be 
the case that (/ Ag, £)k. According to BESsyness then d((f Ag, £)) ^ ▼, hence 
<P((f ^ 8' 0) ^ \-\W(O u ') I (/ ^ 8<£) ~ ^ M '}: hence this case cannot apply. 

— the cases where <p((f Ag, £)) G {true, false, X} are analogous to the previous case. 

— case (p((f A g,£)) = ^(/Ag,£>- Appealing to rule (5) it must be the case that 
ip((f A g,£))k. Furthermore we know (f A g, £) G dom(r). According to rule 
(2) all ranked terms are of the form (Y, £), for some Y. This contradicts the 
assumption that the term we are considering is (/ A g,£). 

The reverse case, showing that \<p{{f A g, £ ))\rj <= {<p({f, £)) A<p((g, £))\rj com- 
mences by induction on the structure of <p((f, £)) and <p((g, £))■ We show that each 
conjunct of <p((f,£)) is also a conjunct of <p((f A g,£))- The case for <p((g,£)) is 
completely analogous. 

— case <p((f,£}) = \~\{<p(u') \ (f,£) — > u'}. In this case we know that d((f,£)) = k, 
and {/,£) dom(r). Let (/, £) — > u', so f(u') is a top level conjunct of (p((f,£)). 
From rule (7) it follows immediately that (f A g, £) — > u', and d((f Ag, £)) = k 
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according to (5), hence <p((f A g,£)) = \~\{ip{u') \ (f Ag,£) — > u'}, and u' is a 
conjunct of <p((f Ag,£)). 

— <p({f,£)) = U{<fiW) I (f<£) -> «'}• So we know that </«/,£» = T and (/,£} £ 
dom(r). Observe that the only conjunct of ip((f,£)) is <p((f,£)) itself. We show 
that <p({f,£)) is a conjunct of tp((f A g ,£)) . According to rule (11), (f Ag, £) — > 
(/,£). Furthermore d((f A g,£)) — A according to (5) and (f Ag, £) £ dom(r) 
according to (2), hence <p({f A g, £)) — \l{<p(u') \ (f Ag, £ ) — > u'}, and <p((f,£}) is 
a conjunct of <p((f Ag,£)). 

— cases <p{{f,£)) G {true, false, X} follow a similar line of reasoning as the previous 
case. 

— <p({f,£)) = Xtf,£\, where (f,£) G dom(r). This again follows a similar line of 
reasoning. We use the observation that the only edge that is generated from 
(/ A g, £) induced by (/, £) is the edge (/ A g,£) — > (f, £) because / is ranked, 
according to (15), and in case also d((f,£)) ^ {A, T} the same edge is generated 
(according to rule (11)). 



Lemma A. 2. Let £ be a BES, rj an environment, such that n{Y) = r](X( Y ,£)) f or 
all Y G bnd(£). Let f be a formula, such that occ(/) C {Y \ X {m G bnd(J3((f,£)))U 
free08( {f, £)))}. Then it holds that (fjn = [<p(tf, £))\r, 

PROOF. Let £ be this BES, and / a formula. Assume that occ(/) C {Y \ X( Y ,e) G 
bnd(J3((f,£})) Ufree08( (/,£}))}. We show that [/]/? = \ip{{f,£))]r, by induction on 
the structure of /. 

/ = true. By definition of [^((true, £))]n = [true]^. 
— / = false. Analogous to the previous case. 

— / = Y. We distinguish two cases, either Y is bound, or Y is free: 
— Y is bound, i.e. X {m G bnd(/?((/, £))). We derive: 

lf((Y,£))h 

= {X/ Y ,£) G p({f,£)), hence (Y,£) G dom(r), use definition of (p} 

= {Semantics of BES} 

— {Assumption r/(X( Y ,£)) = t](Y)} 
n(Y) 

= {Semantics of BES} 

— Y G free(fi((f, £))). This case is easy, as Y G free(J3((f,£ ))), also Y, hence 

using the definition of tp we immediately find [<p{(Y, £))\r] = \Y\rj. 

—f = g Ag' . Based on the SOS we know that d((g A g',£)) = A. As induction 
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hypothesis we assume that the lemma holds for all subformulae. We derive: 

fo«g A *',£»]»/ 
= {Lemma A.l} 

M(g,£))Aip((g',£))lri 
= {Semantics of BES} 

= {Induction hypothesis} 

= {Semantics of BES} 
A g'jn 

— / = g V g'. Analogous to the previous case. 
□ 

Lemma A. 3. Let £ be a BES, {crX = /) e £. Then it holds that <p({f,£)) = 
rhs((X,£)). 

PROOF. Assume that (crX = f) e £. Observe that (X,£) G dom(r). We show 
this lemma using case distinction on rules for rhs. 

— d((X,£)) = A. Then according to rule (19) also d((f,£)) — ▲, and furthermore 
(/,£) ^ dom(r). We derive: 

rhs((X,£)) 
= {Definition of rhs} 

nw) i (x,£)^ U '} 

= {d((f,£}) = ▲ and (X,£) & dom(r), hence (X,£) -> u' iff (f,£) u' according to rule (23)} 

r\w(u')\(f,£)^ U '} 

= {Dchnition of ip} 
— d((X,£)) = T. Analogous to the previous case. 

— d({X, £)) ^ ▲ and d((X,£)) ^ T. We know that there is exactly one u! such that 
(X, £) — ► u', hence using rule (21) we find (X, £) — > {/,£)■ By definition of rhs, 
rhs((X,£))=<p((f,£}). 

□ 

Proposition A. 4 (Proposition 3.10 in the main text). Let £ be a BES 
such that crY = f £ £ . Then for all environments n for which rj(Y) = r](X( Y ,£)), 
[/Ii7=lrhs«y,£»]i7. 

PROOF. We prove this using a distinction on the cases of rhs((y, £)). 

— case d((Y,£)) = ▲). We derive: 

[rhs«F, £))jrj 
= {Lemma A.3, crY = f e £} 

[<p«f 

= {Lemma A. 2} 
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— The cases where d((Y,£)) = T and d((Y, £)) £ {▲, T} are completely analogous. 
□ 

Lemma A.5. Let £ n = {cr 1 X 1 = /i) . . . {cr n X n = f„), £' n = {a x X[ = f[) . . . {<r„X' n = 
fn)- If f or oM environments r\ such that for all Y 77(F) = n(Y'), it holds that for all 
i, 1 < i < n : \fi\n = \fl\n then for all 77' that satisfy for all Z £ occ(£ ) \ bnd(£ ) : 
77' (Z) = 77' (Z') it holds for all X, E bnd(£), that \£ n \rf{X) = \£' n \rf(X'). 

Proof. We prove this by induction on n. 

— case n = 0, this case is trivial. 
— case n = k + 1. Denote 

£ k+ i = {o- Q X = f Q )£ k = (o- Q X = /o)(o"iXi = fi) . . . (o- k X k = f k ) 
£' k+1 ee (a X' = ffi£' k ee (cr X' = &){<t x X' x =/{)... (cr k X' k = f[) 

Assume that for all satisfying for all Y: 6(F) = &(Y'), it holds that for 
1 < i < k: \fil® = l/l'l© 

Let O' be an arbitrary environment, such that VZ e 000(^+1 )\bnd(fj: + i) it holds 
that 9'(Z) = e'(Z'). Let Xi e bnd(£ k+1 ). 

We show that [(o- X = fo)S k ]&(Xi) = [(<r X = f Q )£R&(Xl) for cr = v; the 
case for <x = ji is completely analogous. We derive the following: 

l(o- Q x = fo)£ k ]e'(x l ) 

= {Semantics of BES} 

l£ k }&[X := [/o]I£*je'[Xo :=true]](X ( -) 
= {X' # occ(£ k ) U bnd(£ k ) U occ(/ )} 

l£ k l&[X := lfoE£kl&[X ,X' Q := true]](X,-) 
= {Induction hypothesis} 

l£ k j&[X := [/oirae'tXo.Xd := true]](X ( ) 
= {Assumption on 0'} 

l£ k j&[X := mm&[Xo,X' := true]](X ( ) 
= {X # occ(£' k ) U bnd(££) U occ(/^)} 

l£ k ]e'[X := im£' k ie'[X' := trueJKX,-) 
- {X' ^bnd(£ k )liocc(£ k )} 

l£ k lG'[X ,X' := im£' k ie'[X' := true]](X ( ) 
= {Induction hypothesis} 

1£^&[X ,X' := mi£' k ]&[X' := true]]^) 
= {X ^bnd(^)Uocc(^)} 

K]e'K:=K]rae'[^:=true]](X,.) 
= {Semantics of BES} 

I(cro^ = /Me'(xD 

□ 

Recall the definition of /c, extracting the relevant variables and equations. Given 
a formula / and a BES £, we inductively define the set of relevant proposition 
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variables k as follows: 



Ac. 



K° £ (f) = occ(/) 

= u |J{x | y e 4(/) Arf^eaxe occfe)} 

*£(/) = *?(/) 



The set of relevant proposition variables contains exactly the variables on which /, 
interpreted in the context of £ depends in some way. 

Using such a set k of relevant equations, we can define the BES £ restricted to k, 
denoted £ K , inductively as follows: 



Property A. 6. Let £ be a BES, and f a formula. (crX = g) e £ K implies that 
rank^X) = rank yg((/i£)) (X (Xi£> ). 

Theorem A. 7 (Theorem 3.11 in the main text). Let £ be a BES andr/ an 
environment. Then for all formulae f it holds that |/][f]/7 = l<p((f, £ })] Ifidfi £ 

PROOF. First we restrict £ to the equations that are relevant for /, i.e. let k = 
K£(f), than £ K and j3({f,£)) have the same fixpoint alternations, and the equation 
systems can be aligned such that each equation crY = f 6 £ K is at the same position 
as the equation crX^s) = rhs((F, £)) <E f3({f,£)). In other words, we have £ K = 



(o-iKi = /i) • . • (<t„Y„ = /„) and/?«/,£» = faX^ = rhs((F 1 ,f ))) . . . (o- n X {Y ^ £) = 
rhs((F„,£»). 



Observe that for all 77, satisfying for all Y, 77(F) = rj(X^£)), it holds that for all i, 
1 < i < n : \fi\r] = [rhs((y/,£))]77 using Proposition A. 4. Our conclusion that both 
solutions are equivalent now follows immediately from Lemma A. 5. □ 
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